[  464.588157] NOHZ: local_softirq_pending 08
[  464.626524] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  464.633586] batman_adv: batadv0: Removing interface: batadv_slave_0
[  464.641384] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  464.648952] batman_adv: batadv0: Removing interface: batadv_slave_1
[  464.658238] device bridge_slave_1 left promiscuous mode
[  464.664491] bridge0: port 2(bridge_slave_1) entered disabled state
[  464.697917] device bridge_slave_0 left promiscuous mode
[  464.703457] bridge0: port 1(bridge_slave_0) entered disabled state
[  464.760576] device veth1_macvtap left promiscuous mode
[  464.766283] device veth0_macvtap left promiscuous mode
[  464.771568] device veth1_vlan left promiscuous mode
[  464.777677] device veth0_vlan left promiscuous mode
[  464.885838] device hsr_slave_1 left promiscuous mode
[  464.937030] device hsr_slave_0 left promiscuous mode
[  464.982224] team0 (unregistering): Port device team_slave_1 removed
[  464.991743] team0 (unregistering): Port device team_slave_0 removed
[  465.001726] bond0 (unregistering): Releasing backup interface bond_slave_1
[  465.048575] bond0 (unregistering): Releasing backup interface bond_slave_0
[  465.113138] bond0 (unregistering): Released all slaves
[  467.487804] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  467.494582] batman_adv: batadv0: Removing interface: batadv_slave_0
[  467.502044] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  467.508810] batman_adv: batadv0: Removing interface: batadv_slave_1
[  467.516409] device bridge_slave_1 left promiscuous mode
[  467.521826] bridge0: port 2(bridge_slave_1) entered disabled state
[  467.573624] device bridge_slave_0 left promiscuous mode
[  467.579110] bridge0: port 1(bridge_slave_0) entered disabled state
[  467.635648] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  467.642460] batman_adv: batadv0: Removing interface: batadv_slave_0
[  467.650393] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  467.657180] batman_adv: batadv0: Removing interface: batadv_slave_1
[  467.666250] device bridge_slave_1 left promiscuous mode
[  467.671656] bridge0: port 2(bridge_slave_1) entered disabled state
[  467.703584] device bridge_slave_0 left promiscuous mode
[  467.709030] bridge0: port 1(bridge_slave_0) entered disabled state
[  467.776013] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  467.782742] batman_adv: batadv0: Removing interface: batadv_slave_0
[  467.791002] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  467.798074] batman_adv: batadv0: Removing interface: batadv_slave_1
[  467.806760] device bridge_slave_1 left promiscuous mode
[  467.812185] bridge0: port 2(bridge_slave_1) entered disabled state
[  467.873742] device bridge_slave_0 left promiscuous mode
[  467.879185] bridge0: port 1(bridge_slave_0) entered disabled state
[  467.946676] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  467.953444] batman_adv: batadv0: Removing interface: batadv_slave_0
[  467.960820] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  467.968288] batman_adv: batadv0: Removing interface: batadv_slave_1
[  467.976978] device bridge_slave_1 left promiscuous mode
[  467.982380] bridge0: port 2(bridge_slave_1) entered disabled state
[  468.043658] device bridge_slave_0 left promiscuous mode
[  468.049100] bridge0: port 1(bridge_slave_0) entered disabled state
[  468.095249] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  468.101933] batman_adv: batadv0: Removing interface: batadv_slave_0
[  468.111271] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  468.118034] batman_adv: batadv0: Removing interface: batadv_slave_1
[  468.126427] device bridge_slave_1 left promiscuous mode
[  468.131862] bridge0: port 2(bridge_slave_1) entered disabled state
[  468.183875] device bridge_slave_0 left promiscuous mode
[  468.189321] bridge0: port 1(bridge_slave_0) entered disabled state
[  468.249512] device veth1_macvtap left promiscuous mode
[  468.255204] device veth0_macvtap left promiscuous mode
[  468.260517] device veth1_vlan left promiscuous mode
[  468.265632] device veth0_vlan left promiscuous mode
[  468.270930] device veth1_macvtap left promiscuous mode
[  468.276283] device veth0_macvtap left promiscuous mode
[  468.281580] device veth1_vlan left promiscuous mode
[  468.286911] device veth0_vlan left promiscuous mode
[  468.292183] device veth1_macvtap left promiscuous mode
[  468.297567] device veth0_macvtap left promiscuous mode
[  468.302862] device veth1_vlan left promiscuous mode
[  468.308155] device veth0_vlan left promiscuous mode
[  468.313573] device veth1_macvtap left promiscuous mode
[  468.318872] device veth0_macvtap left promiscuous mode
[  468.324442] device veth1_vlan left promiscuous mode
[  468.329485] device veth0_vlan left promiscuous mode
[  468.335005] device veth1_macvtap left promiscuous mode
[  468.340303] device veth0_macvtap left promiscuous mode
[  468.345775] device veth1_vlan left promiscuous mode
[  468.350804] device veth0_vlan left promiscuous mode
[  468.615443] device hsr_slave_1 left promiscuous mode
[  468.655504] device hsr_slave_0 left promiscuous mode
[  468.699633] team0 (unregistering): Port device team_slave_1 removed
[  468.710058] team0 (unregistering): Port device team_slave_0 removed
[  468.719107] bond0 (unregistering): Releasing backup interface bond_slave_1
[  468.765809] bond0 (unregistering): Releasing backup interface bond_slave_0
[  468.821606] bond0 (unregistering): Released all slaves
[  468.917006] device hsr_slave_1 left promiscuous mode
[  468.955464] device hsr_slave_0 left promiscuous mode
[  468.999370] team0 (unregistering): Port device team_slave_1 removed
[  469.009755] team0 (unregistering): Port device team_slave_0 removed
[  469.018936] bond0 (unregistering): Releasing backup interface bond_slave_1
[  469.065837] bond0 (unregistering): Releasing backup interface bond_slave_0
[  469.134376] bond0 (unregistering): Released all slaves
[  469.237429] device hsr_slave_1 left promiscuous mode
[  469.276820] device hsr_slave_0 left promiscuous mode
[  469.321105] team0 (unregistering): Port device team_slave_1 removed
[  469.330071] team0 (unregistering): Port device team_slave_0 removed
[  469.339245] bond0 (unregistering): Releasing backup interface bond_slave_1
[  469.387199] bond0 (unregistering): Releasing backup interface bond_slave_0
[  469.441130] bond0 (unregistering): Released all slaves
[  469.566364] device hsr_slave_1 left promiscuous mode
[  469.616856] device hsr_slave_0 left promiscuous mode
[  469.661048] team0 (unregistering): Port device team_slave_1 removed
[  469.670086] team0 (unregistering): Port device team_slave_0 removed
[  469.679358] bond0 (unregistering): Releasing backup interface bond_slave_1
[  469.717219] bond0 (unregistering): Releasing backup interface bond_slave_0
[  469.772622] bond0 (unregistering): Released all slaves
[  469.874549] device hsr_slave_1 left promiscuous mode
[  469.935393] device hsr_slave_0 left promiscuous mode
[  469.980291] team0 (unregistering): Port device team_slave_1 removed
[  469.990084] team0 (unregistering): Port device team_slave_0 removed
[  469.999268] bond0 (unregistering): Releasing backup interface bond_slave_1
[  470.037058] bond0 (unregistering): Releasing backup interface bond_slave_0
[  470.091539] bond0 (unregistering): Released all slaves
Warning: Permanently added '10.128.0.170' (ECDSA) to the list of known hosts.
[  521.562775] ==================================================================
[  521.570428] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x1d2/0x1f0
[  521.577450] Read of size 8 at addr ffff8880a5b41dc0 by task syz-executor529/1170
[  521.584977] 
[  521.586591] CPU: 0 PID: 1170 Comm: syz-executor529 Not tainted 4.19.137-syzkaller #0
[  521.594456] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  521.603873] Call Trace:
[  521.606564]  dump_stack+0x123/0x177
[  521.610225]  print_address_description.cold.8+0x9/0x1ff
[  521.615575]  kasan_report.cold.9+0x242/0x309
[  521.620003]  ? vgem_gem_dumb_create+0x1d2/0x1f0
[  521.624663]  __asan_report_load8_noabort+0x14/0x20
[  521.629587]  vgem_gem_dumb_create+0x1d2/0x1f0
[  521.634156]  drm_mode_create_dumb+0x1ea/0x2b0
[  521.638651]  drm_mode_create_dumb_ioctl+0x9/0x10
[  521.643552]  drm_ioctl_kernel+0x1ab/0x240
[  521.647711]  ? drm_mode_create_dumb+0x2b0/0x2b0
[  521.652364]  ? drm_setversion+0x8c0/0x8c0
[  521.656673]  ? kasan_check_write+0x14/0x20
[  521.660899]  drm_ioctl+0x47f/0xa00
[  521.664441]  ? drm_mode_create_dumb+0x2b0/0x2b0
[  521.669097]  ? drm_version+0x3a0/0x3a0
[  521.673035]  ? mark_held_locks+0x130/0x130
[  521.677342]  ? exit_robust_list+0x1d0/0x1d0
[  521.681731]  do_vfs_ioctl+0x196/0x10c0
[  521.685631]  ? ioctl_preallocate+0x1c0/0x1c0
[  521.690131]  ? selinux_file_mprotect+0x5f0/0x5f0
[  521.694879]  ? ksys_dup3+0x2e0/0x2e0
[  521.698584]  ? __x64_sys_futex+0x1cb/0x3a0
[  521.702866]  ? mnt_drop_write_file+0x74/0x90
[  521.707337]  ? security_file_ioctl+0x4a/0x90
[  521.711738]  ? __fget_light+0x174/0x1e0
[  521.715702]  ksys_ioctl+0x62/0x90
[  521.719182]  ? lockdep_hardirqs_on+0x421/0x5c0
[  521.723789]  __x64_sys_ioctl+0x6e/0xb0
[  521.727717]  do_syscall_64+0xd0/0x4e0
[  521.731585]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  521.736769] RIP: 0033:0x44a809
[  521.739959] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  521.758869] RSP: 002b:00007fb73de50d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  521.766563] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 000000000044a809
[  521.773863] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000008
[  521.781125] RBP: 00000000006dbc40 R08: 65732f636f72702f R09: 65732f636f72702f
[  521.788386] R10: 65732f636f72702f R11: 0000000000000246 R12: 00000000006dbc4c
[  521.795658] R13: 00007fb73de50d20 R14: 00007fb73de50d20 R15: 20c49ba5e353f7cf
[  521.802944] 
[  521.804620] Allocated by task 1170:
[  521.808253]  save_stack+0x43/0xd0
[  521.811689]  kasan_kmalloc+0xc7/0xe0
[  521.815400]  kmem_cache_alloc_trace+0x152/0x740
[  521.820051]  __vgem_gem_create+0x47/0xd0
[  521.824091]  vgem_gem_dumb_create+0xba/0x1f0
[  521.828506]  drm_mode_create_dumb+0x1ea/0x2b0
[  521.833002]  drm_mode_create_dumb_ioctl+0x9/0x10
[  521.837756]  drm_ioctl_kernel+0x1ab/0x240
[  521.841897]  drm_ioctl+0x47f/0xa00
[  521.845435]  do_vfs_ioctl+0x196/0x10c0
[  521.849312]  ksys_ioctl+0x62/0x90
[  521.852748]  __x64_sys_ioctl+0x6e/0xb0
[  521.856624]  do_syscall_64+0xd0/0x4e0
[  521.860426]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  521.865596] 
[  521.867202] Freed by task 1170:
[  521.870482]  save_stack+0x43/0xd0
[  521.873937]  __kasan_slab_free+0x102/0x150
[  521.878164]  kasan_slab_free+0xe/0x10
[  521.882030]  kfree+0xcf/0x220
[  521.885138]  vgem_gem_free_object+0xa7/0xd0
[  521.889627]  drm_gem_object_free+0x89/0x1a0
[  521.893985]  drm_gem_object_put_unlocked+0x102/0x130
[  521.899100]  vgem_gem_dumb_create+0xed/0x1f0
[  521.903503]  drm_mode_create_dumb+0x1ea/0x2b0
[  521.908016]  drm_mode_create_dumb_ioctl+0x9/0x10
[  521.912766]  drm_ioctl_kernel+0x1ab/0x240
[  521.916903]  drm_ioctl+0x47f/0xa00
[  521.920432]  do_vfs_ioctl+0x196/0x10c0
[  521.924320]  ksys_ioctl+0x62/0x90
[  521.927762]  __x64_sys_ioctl+0x6e/0xb0
[  521.931635]  do_syscall_64+0xd0/0x4e0
[  521.935439]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  521.940638] 
[  521.942267] The buggy address belongs to the object at ffff8880a5b41cc0
[  521.942267]  which belongs to the cache kmalloc-512 of size 512
[  521.954920] The buggy address is located 256 bytes inside of
[  521.954920]  512-byte region [ffff8880a5b41cc0, ffff8880a5b41ec0)
[  521.966780] The buggy address belongs to the page:
[  521.971709] page:ffffea000296d040 count:1 mapcount:0 mapping:ffff88812c29c940 index:0x0
[  521.979845] flags: 0xfffe0000000100(slab)
[  521.983994] raw: 00fffe0000000100 ffffea0002410b48 ffff88812c294748 ffff88812c29c940
[  521.991869] raw: 0000000000000000 ffff8880a5b41040 0000000100000006 0000000000000000
[  521.999745] page dumped because: kasan: bad access detected
[  522.005435] 
[  522.007036] Memory state around the buggy address:
[  522.011939]  ffff8880a5b41c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  522.019278]  ffff8880a5b41d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  522.026613] >ffff8880a5b41d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  522.033962]                                            ^
[  522.039446]  ffff8880a5b41e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  522.046791]  ffff8880a5b41e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  522.054130] ==================================================================
[  522.061476] Disabling lock debugging due to kernel taint
[  522.067810] Kernel panic - not syncing: panic_on_warn set ...
[  522.067810] 
[  522.075165] CPU: 0 PID: 1170 Comm: syz-executor529 Tainted: G    B             4.19.137-syzkaller #0
[  522.084426] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  522.093786] Call Trace:
[  522.096375]  dump_stack+0x123/0x177
[  522.100059]  panic+0x1cd/0x375
[  522.103226]  ? __warn_printk+0xd6/0xd6
[  522.107106]  ? ___preempt_schedule+0x16/0x18
[  522.111500]  kasan_end_report+0x47/0x4f
[  522.115481]  kasan_report.cold.9+0x76/0x309
[  522.119782]  ? vgem_gem_dumb_create+0x1d2/0x1f0
[  522.124447]  __asan_report_load8_noabort+0x14/0x20
[  522.129373]  vgem_gem_dumb_create+0x1d2/0x1f0
[  522.133857]  drm_mode_create_dumb+0x1ea/0x2b0
[  522.138329]  drm_mode_create_dumb_ioctl+0x9/0x10
[  522.143062]  drm_ioctl_kernel+0x1ab/0x240
[  522.147188]  ? drm_mode_create_dumb+0x2b0/0x2b0
[  522.151832]  ? drm_setversion+0x8c0/0x8c0
[  522.155956]  ? kasan_check_write+0x14/0x20
[  522.160166]  drm_ioctl+0x47f/0xa00
[  522.163685]  ? drm_mode_create_dumb+0x2b0/0x2b0
[  522.168332]  ? drm_version+0x3a0/0x3a0
[  522.172192]  ? mark_held_locks+0x130/0x130
[  522.176479]  ? exit_robust_list+0x1d0/0x1d0
[  522.180783]  do_vfs_ioctl+0x196/0x10c0
[  522.184681]  ? ioctl_preallocate+0x1c0/0x1c0
[  522.189066]  ? selinux_file_mprotect+0x5f0/0x5f0
[  522.193798]  ? ksys_dup3+0x2e0/0x2e0
[  522.197487]  ? __x64_sys_futex+0x1cb/0x3a0
[  522.201699]  ? mnt_drop_write_file+0x74/0x90
[  522.206085]  ? security_file_ioctl+0x4a/0x90
[  522.210469]  ? __fget_light+0x174/0x1e0
[  522.214433]  ksys_ioctl+0x62/0x90
[  522.217868]  ? lockdep_hardirqs_on+0x421/0x5c0
[  522.222428]  __x64_sys_ioctl+0x6e/0xb0
[  522.226295]  do_syscall_64+0xd0/0x4e0
[  522.230075]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  522.235250] RIP: 0033:0x44a809
[  522.238416] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  522.257298] RSP: 002b:00007fb73de50d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  522.265001] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 000000000044a809
[  522.272290] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000008
[  522.279580] RBP: 00000000006dbc40 R08: 65732f636f72702f R09: 65732f636f72702f
[  522.286829] R10: 65732f636f72702f R11: 0000000000000246 R12: 00000000006dbc4c
[  522.294097] R13: 00007fb73de50d20 R14: 00007fb73de50d20 R15: 20c49ba5e353f7cf
[  522.302405] Kernel Offset: disabled
[  522.306037] Rebooting in 86400 seconds..